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From: 

Sent: 04 December 2019 20:08 

To: SARguidance 

Subject: Survey 

Attachments: Your Tweets re Major vs Darren, Jackson & Ors (2019) 
Dear ICO, 


I have filled in your survey. 


As regards the provision of health data under a SAR: 


1) 


2) 


3) 


I would reiterate that - as the ICO clearly states on page 3 of its guidance - 
this is a right of access for individuals, not for third parties 

Third parties do not "become" data subjects, or inherit those rights, simply 
because they have assisted the data subject in making their request 


I would remind the ICO that the obligation of the controller is to the data 
subject (the individual), not the third party 

As long as the SAR has been provided/supplied to the data subject then he 
controller has complied with Article 15 

Supplying the SAR to a third party does not fulfil the requirements of Article 15, 
and data controllers are under no obligation to disclose a SAR to a third 
party 

(except, perhaps, where disclosure to the data subject is impossible - e.g. they 
are in prison, where the clear alternative would be a failure to uphold the right 
of access entirely) 

Data subjects are free to disclose their SAR to whomsoever they like, once 
provided with it by the data controller 


The phrase "7f the individual agrees, you may send the response directly to the 
individual rather than to the third party" is utterly nonsensical. 

Data controllers cannot be "told" or "instructed" to disclose data to anyone, 
unless they are under a legal obligation to process data in that way. 

We GPs don't take "orders" from our patients. 

The right of access does not compel the controller to disclose personal data to 
anyone but the data subject - the individual. 

I am under no obligation to disclose the SAR to a solicitor, or upload it to 
Facebook, or send it to a newspaper, or post it half way round the world to 
Australia - just because the data subject says so, or disagrees otherwise. 


I attach the email that was sent to the ICO recently, as signed by myself and very 
many other IG leads, Caldicott Guardians, and DPOs in General Practice, and which 
makes clear the approach that we take, and why - we believe - the ICO is 
fundamentally wrong in its opinion on this matter. The law is clear. 


Kind regards, 


Oakley Health Group 
Yateley Medical Centre 
Oaklands 

Yateley 

Hampshire GU46 7LS 


zz NEN 
© 


www.oakleyhealth.org 


facebook.com/oakleyhealth 
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This message may contain confidential information. If you are not the intended 
recipient please inform the 
sender that you have received the message in error before deleting it. 

Please do not disclose, copy or distribute information in this e-mail or take any 
action in relation to its contents. To do so is strictly prohibited and may be 
unlawful. Thank you for your co-operation. 


NHSmail is the secure email and directory service available for all NHS staff in 
England and Scotland. NHSmail is approved for exchanging patient data and other 
sensitive information with NHSmail and other accredited email services. 


For more information and to find out how you can switch, 
https://portal.nhs.net/help/joiningnhsmail 


